Businesses must notify most data breaches to the DPA. This must be done without undue delay within 72 hours of awareness. In some cases, the data controller must also notify the affected data subjects without undue delay. Additionally, the UK ICO, for example, already expects to be informed about all “serious” breaches. Research has shown that most organisations have no formal incident response plan and as such would be unable to meet the 72 hour requirement due to being ill prepared for a breach. This under the GDPR is not a valid reason to miss the required timeline.
All of the above are areas that if not met, and in the event of a data breach, will result in heavy fines. A two-tiered approach will apply. Breaches of some provisions by businesses, which law makers have deemed to be most important for data protection, could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater, being levied by data watchdogs. For other breaches, the authorities could impose fines on companies of up to €10m or 2% of global annual turnover, whichever is greater. This will result in many business being forced out of business as a result.